Resilient cryptographic scheme

ABSTRACT

A method for communicating information between at least a pair of correspondents, the method comprising the steps of each of the correspondents selecting a plurality of cryptographic algorithms known to each of the correspondents. One of the correspondents applies the algorithms in a predetermined manner to a message for producing a set of processed information. The set of processed information is transmitted to the other correspondent. The other correspondent applies complimentary operations of the cryptographic schemes in accordance with the predetermined manner for deriving information related to the message from the processed information.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation of International ApplicationNo. PCT/CA00/0040, filed Jan. 20, 2000, which claims priority benefitCanadian Patent Application No. 2,259,738, filed Jan. 20, 1999.

This invention relates to cryptographic schemes, and particularly, to amethod for implementing a cryptographic scheme that is resistant tocatastrophic failure.

BACKGROUND OF THE INVENTION

Cryptographic schemes allow correspondents to send messages in secret orhidden form, so that only those people authorized to receive the messagewill be able to read it. Cryptographic schemes are generally based onone of two systems, namely, a private key system or a public key system.In a private key system, the method for data encryption requires theparties who communicate to share a common key. Private key systems havethe disadvantage that the users of the scheme have to somehow exchange acommon key in a secure fashion before any data is encrypted. This keyshould also be changed relatively often for other cryptographic reasons.

Whereas private key cryptography utilizes a single key for bothencryption and decryption, public key cryptography utilizes severaldifferent keys for encryption and decryption. The encryption keys canthus be made public with the decryption keys maintained secret.

Public key systems have been deployed in specific systems. For example,the RSA scheme is a deployment of the general public key scheme.Similarly, discrete log systems and elliptic curve systems are otherdeployments of the general public key system. Public key systems mayalso be used to sign messages so that a recipient may verify the originof the message using a public key of the sender.

Obviously, in a cryptographic system there is the threat of an attackerobtaining or deducing the key, the private key in the case of public keysystems, and thereby compromising communication between a pair of users.The lucky recovery by an attacker of one or two keys is not in itself aserious problem, as a particular key can be revoked and disallowed forfurther use. However, a serious threat to the future resiliency of aparticular cryptographic scheme is the ability of an attacker to devisea systematic method whereby a large number, or even all keys, for thatsystem can be recovered. The resistance to such systematic attacks willdepend on the underlying system used, but one factor is the key size.

For example, in the RSA scheme, keys of 512 bits or less are extremelyvulnerable to a variety of attacks.

Corporate-wide deployment of a specific scheme is normally based on anassumption that the scheme will be secure at least for some time beyondthe near future. However, just as cryptographic systems are advancing intheir security, so are attackers advancing in devising new attacksagainst these systems. For example, in the future there may be anadvance on the special purpose attack method which attacks a subset ofkeys for a particular scheme or there may be an advance in a generalpurpose attack method which attacks essentially all keys. The responseto a special purpose attack on a keyed algorithm is to generally excludeweak cases, i.e., keys with a certain weak property. Similarly, ageneral-purpose attack can be addressed by increasing the primarysecurity parameters to where attacks are again infeasible.

Therefore, there is a need for a cryptographic scheme that is moreresilient than the schemes presently in use.

SUMMARY OF THE INVENTION

Accordingly, it is an object of this invention to provide a moreresilient cryptographic scheme that is more resistant to specific orgeneral purpose attacks than current schemes.

In accordance with this invention there is provided a method forcommunicating information between at least first and a secondcorrespondent, the method comprising the steps of: selecting a pluralityof cryptographic algorithms known to each of the correspondents;

the first correspondents applying the algorithms in a predeterminedmanner to a message to produce processed information;

transmitting this processed information to the other correspondent; and

the second correspondent applying complimentary operations of saidcryptographic schemes in accordance with the predetermined manner toderive information related to the message from the processedinformation.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features of the preferred embodiments of the inventionwill become more apparent in the following detailed description in whichreference is made to the appended drawings wherein:

FIG. 1 is schematic diagram of a communication system;

FIG. 2 is a flow diagram showing a signature scheme according to anembodiment of the present invention;

FIG. 3 is a flow diagram showing a further signature scheme according toan embodiment of the invention; and

FIG. 4 is a flow diagram of key agreement scheme according to anembodiment of the invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

Referring to FIG. 1, a communication system having at least a pair ofcorespondents is shown generally by numeral 10. It is assumed that thecorrespondents 12 and 14 incorporate cryptographic units 16 and 18respectively. For convenience, the first correspondent will be referredto as a sender and the second correspondent will be referred to as areceiver. Generally, a plain text message is processed by the encryptionunit of the sender and transmitted as cyphertext along a communicationchannel to the receiver where the encryption message is decrypted by thecryptographic unit 18 to recover the original message.

Referring to FIG. 2, a signature scheme according to an embodiment ofthe invention is shown generally by numeral 30. In this embodiment, thecorrespondents select several signature schemes such as RSA, DSA andECDSA from a plurality of signature schemes. Using these three signatureschemes, the sender processes the information to be signed to producethree sets of processed information in the form of three independentsignatures (S₁, S₂, S₃). These combine to form a multiple signature. Theindividual signatures are then transmitted to the recipient who thenverifies the signatures using the corresponding verification part of thealgorithm.

Thus, it may be seen that a break in any one or two algorithms will notaffect the validity of the remaining signatures. Therefore, if all threesignatures cannot be verified, the recipient is aware that at least oneof the sets of processed information may have been interfered with by athird party. In order for the third party to effectively interfere witha signature using such a scheme, the third party has to break all of theencryption algorithms used. Although the third party may be able touncover information related to the original message, it is of little usewithout breaking the remaining algorithms.

Although the present embodiment is described as selecting threesignature schemes, any plurality of schemes may be used as required by aparticular implementation. Further, effective signature schemes otherthan RSA, DSA, and ECDSA may also be used.

An alternate embodiment is illustrated in FIG. 3 by the numeral 40. Thesender uses ECDSA for generating a set of processed information in theform of an EC signature. The sender subsequently inputs the EC signatureto an RSA signature generation function (with message recovery) togenerate a further set of processed information in the form of an RSAsigned EC signature. The RSA signed EC signature is then transmitted tothe recipient.

The recipient initially recovers the EC signature from the RSA sign ECsignature. The recipient then recovers the original message from the ECsignature and verifies the identity of the origin of the message. The ECsignature thus provides redundancy for preventing manipulation attackson the RSA signature. As in the previous embodiment, in order for thethird party to effectively interfere with a signature using such ascheme, the third party has to break all of the encryption algorithmsused. However, using the present embodiment will prevent the third partyfrom uncovering information related to the original message unless allof the encryption algorithms are broken.

Furthermore, using alternate signature schemes or the same schemes in adifferent order is possible.

Yet an alternate embodiment is illustrated in FIG. 4, referred togenerally by the numeral 50. In the present embodiment, thecorrespondents wish to communicate with a symmetric key. In general,public key schemes are used to assign symmetric keys transmitted betweencorrespondents. The symmetric keys are then used by the correspondentsto encrypt and decrypt messages transmitted between the correspondents.The symmetric key is then divided in to a plurality of parts. In thisexample, the key is divided into three parts and each of the parts isencrypted a respective cryptographic algorithm. The first part isencrypted RSA, the second part with a discrete log (DL) encryption, andthe third with EC encryption. The three parts are then transmitted tothe recipient who recovers all three parts by applying the correspondingdecryption operation on the respective part. Each of the parts is thenXOR'd together to derive the symmetric key. A key confirmation algorithmmay then be used to ensure that the recovered symmetric key is correct.A break in one or two of the algorithms will not allow an adversary torecover the value of the symmetric key.

For key agreement, the sender composes three shared secrets from RSA, DLand EC key agreement schemes (respectively) all three of which are theninput to a symmetric key derivation function. Alternatively, the sendermay derive three symmetric key parts independently from an RSA sharedsecret, a DL shared secret, and an EC shared secret.

In a message authentication code (MAC), the correspondents can usedifferent MAC algorithms such as DES-CBC-MAC and HMAC and then followone of those signature models described above. For data encryption, thecorrespondents supercipher with different symmetric or asymmetricalgorithms.

The present invention may also be applied to one way hash functions byusing multiple hash outputs, where the multiple hash functions arepreferably based on different functions. The present embodiment issimilar to the first embodiment. Different hashing functions are appliedto the same message. The results of the hashing function are sent to therecipient along with an encrypted message. If a third party breaks oneor two of the hashing functions, it will not affect the validity of theremaining hashing functions. The recipient verifies the authenticity ofall of the hashing functions. If the third party has interfered with thetransmission without breaking all of the hashing functions, then all ofthe hashing function will not be verified. Therefore, the recipient willbe aware the third party has attempted to interfere with thetransmission.

Such methods as described above typically find use in e-commercetransactions involving large monetary transactions where theauthenticity of the signatory is critical.

A further embodiment of the invention provides for a computer systemprogrammed in accordance with the methods described herein.

Furthermore, an embodiment of the invention provides for a data carriersuch as a computer disk, CD-ROM, and the like, carrying computer codefor implementing the methods described herein.

A further embodiment of the invention provides for a virtualenvironment, such as an applet, for implementing the methods describedherein.

Although the invention has been described with reference to certainspecific embodiments, various modifications thereof will be apparent tothose skilled in the art without departing from the spirit and scope ofthe invention as outlined in the claims appended hereto.

The invention claimed is:
 1. A method for communicating information, ina data communication system, between at least a first correspondent anda second correspondent interconnected through a data communicationchannel therebetween, said method comprising the steps of: a) selectinga plurality of cryptographic algorithms known to said firstcorrespondent and second correspondent; b) said first correspondentapplying each of said selected cryptographic algorithms to the sameinformation in a common message in a predetermined manner for producingfor that algorithm a corresponding set of processed information; c) saidfirst correspondent transmitting said sets of processed information tosaid second correspondent; and d) said second correspondent applyingcomplementary operations of each of said selected cryptographicalgorithms in accordance with said predetermined manner to respectiveones of said sets of processed information for deriving, from each ofsaid sets of processed information, information related to said commonmessage.
 2. The method according to claim 1 wherein said cryptographicalgorithms are public key digital signature schemes and saidcomplementary operations perform respective verifications of respectivedigital signatures.
 3. The method according to claim 1 wherein theresults of said complementary operations are compared to provide anindication of the authenticity of said sets of processed information. 4.The method according to claim 1, wherein said cryptographic algorithmsare hashing functions.
 5. The method according to claim 1 wherein saidinformation related to said common message is identically equal to saidcommon message.
 6. The method according to claim 1, wherein saidinformation related to said common message is a mathematicalrepresentation of said common message.
 7. The method according to claim1 wherein said cryptographic algorithms are digital signature schemes,and wherein said sets of processed information include at least twoindependently generated digital signatures of said common message. 8.The method according to claim 7 wherein said second correspondentverifies each of said digital signatures.
 9. A method of preparinginformation to be communicated between a first correspondent and asecond correspondent over a data communication channel, said methodcomprising the steps of: a) selecting a plurality of cryptographicalgorithms known to said first correspondent and second correspondent;b) said first correspondent applying each of said selected cryptographicalgorithms to the same information in a common message in apredetermined manner to produce, for that algorithm, a corresponding setof processed information; and c) said first correspondent transmittingsaid sets of processed information to said second correspondent.
 10. Themethod according to claim 9 wherein said cryptographic algorithms aredigital signature schemes, and wherein said sets of processedinformation include at least a pair of signatures.
 11. A method ofverifying the authenticity of a plurality of sets of processedinformation sent by a first correspondent over a data communicationchannel to a second correspondent, each set of processed informationhaving been obtained by applying respective one of a plurality ofcryptographic algorithms in a predetermined manner to the sameinformation in a common message, said method comprising the steps of:receiving said plurality of sets of processed information; and for eachset of processed information of said plurality of sets of processedinformation, applying complementary operations of a respective one ofsaid plurality of cryptographic algorithms to that set of processedinformation in accordance with said predetermined manner to verify theauthenticity of that set of processed information.
 12. The methodaccording to claim 11 wherein said cryptographic algorithms are digitalsignature schemes applied to said common message to obtain correspondingdigital signatures, and wherein said verifying the authenticity of saidsets of processed information includes verifying each of said digitalsignatures.
 13. A data communication system comprising: a firstcryptographic unit; a second cryptographic unit; and a datacommunication channel therebetween, wherein: each of said cryptographicunits stores a common plurality of cryptographic algorithms; said firstcryptographic unit is configured for: selecting two or more of saidplurality of cryptographic algorithms, applying each of said selectedalgorithms to the same information in a common message in apredetermined manner for producing for that algorithm a correspondingset of processed information; and transmitting said of processedinformation to said second cryptographic unit; and said secondcryptographic unit is configured for applying complementary operationsof each of said selected cryptographic algorithms in accordance withsaid predetermined manner to respective ones of said sets of processedinformation for deriving, from each of said sets of processedinformation, information related to said common message.
 14. The systemaccording to claim 13 wherein said cryptographic algorithms are digitalsignature schemes.
 15. The system according to claim 14 wherein saidfirst cryptographic unit operates to produce a respective digitalsignature on said common message with each of said cryptographicalgorithms such that a plurality of digital signatures is produced. 16.A cryptographic unit for preparing information to be communicatedbetween a first correspondent and a second correspondent over a datacommunication channel, said cryptographic unit being configured for:selecting plurality of cryptographic algorithms known to said firstcorrespondent and said second correspondent; applying each of saidselected cryptographic algorithms to the same information in a commonmessage in a predetermined manner for producing for that algorithm acorresponding set of processed information; and transmitting said setsof processed information to said second correspondent.
 17. Thecryptographic unit according to claim 16 wherein said cryptographicalgorithms are digital signature schemes and said sets of processedinformation include at least a pair of digital signatures.
 18. Acryptographic unit for verifying the authenticity of a plurality of setsof processed information sent by a first correspondent over a datacommunication channel, each set of processed information having beenobtained by applying a respective one of a plurality of cryptographicalgorithms in a predetermined manner to the same information in a commonmessage, said cryptographic unit being configured for: receiving saidplurality of sets of processed information; and for each set ofprocessed information of said plurality of sets of processedinformation, applying complementary operations of a respective one ofsaid plurality of cryptographic algorithms to that set of processedinformation in accordance with said predetermined manner to verify theauthenticity of that set of processed information.
 19. The cryptographicunit according to claim 18 wherein said cryptographic algorithms aredigital signature schemes applied to said common message to obtaincorresponding digital signatures, and wherein said method furthercomprises the step of verifying each of said digital signatures.